What are passkeys?

Share via

Passkeys are a replacement for passwords. A password is something that can be remembered and typed, and a passkey is a secret stored on one’s devices, unlocked with biometrics.

Passkeys are:

Intuitive

Creating and using passkeys is as simple as consenting to save and use them. No having to create a password.

Automatically unique

By design, passkeys are unique per-service. There’s no chance to reuse them.

Breach-resistant

A passkey is only stored on a user’s devices. Relying Party (RP) servers store public keys. Even servers that assist in the syncing of passkeys across a user’s devices never have the ability to view or use the private keys for a user’s passkeys.

Phishing-resistant

Rather than trust being rooted in a human who has to verify they’re signing into the right website or app, browsers and operating systems enforce that passkeys are only ever used for the appropriate service.

The guidance on this site is currently targeted towards sites and services that are using either password only or password + OTP (SMS, app TOTP, app push, magic link) sign in flows. Future guidance will include more advanced and higher assurance scenarios.

Last Updated: Jan 06, 2025

Docs

Passkeys are: